Cultivate a security mindset throughout the organization.
As a general matter, IS policies serve three important purposes.
First, policies help cultivate a security mindset. Simply having information security policies in place raises employee awareness. Requiring employees to read them and sign an acknowledgement sends a clear message. Namely, information security is an organizational imperative – not “an IT thing.” Reinforce the message with training and tests.
Management support for the policies is critical to achieving this purpose. Nothing undercuts an initiative like non-compliance at the top.
Educate employees about the importance of data security.
Second, policies educate employees about the security program. More precisely, policies are the foundation for procedures. Security procedures can be burdensome and confusing, even intimidating to many. We need to make people care about data security first before diving into the details.
Policies are an opportunity to explain and emphasize universal reasons to care such as:
- Information is a valuable asset. It must be kept confidential, accurate, usable and available to the employees who need it to do their jobs.
- Security incidents disrupt normal operations. Systems go down. It costs time and money to investigate and repair the damage.
- Data breaches are bad for the bottom line – and future opportunities. Breach notifications and fines are expensive. Loss of reputation and client confidence may be even more costly.
Define and emphasize accountability
Every organization should expect and require compliance with security procedures. The third purpose of information security policies is to define accountability.
Policy particulars include potential consequences of non-compliance, such as remedial training and negative performance evaluations. However, balance penalties with resources. Make it a policy to have on-call support for security questions and technical problems. Finally, specify who has authority to approve exceptions to standard security procedures based on business needs.
Policies can be a powerful weapon in the cybersecurity war. For maximum impact, take a step back and focus on purpose. Set information security goals first and specific policies will follow naturally.